[Access Control] Disconnect Procedure (Microsoft 365)

Target

• Customers federating Microsoft 365 with Access Control

Purpose

• To delete the federation between Access Control and Microsoft 365, preventing Access Control from intervening in logins to Microsoft 365.
• If user synchronization is being performed between Access Control and Microsoft 365, delete the settings to stop synchronization.

Notes

1. The content of this article is based on the product specifications as of October 2025 and may change without notice thereafter.
2. After performing this procedure, it will take some time to delete the federation.
   ※ The estimated time for deleting the federation is about 30 minutes to 1 hour.
3. After deleting the federation, please perform a Microsoft 365 Password Reset.
   ※ If password synchronization is being performed between Active Directory → Microsoft 365 using Microsoft's synchronization tool, this is not necessary.
4. After deleting the federation, please log in from the Microsoft 365 login page.
5. Please uninstall the Secure Browser app and device certificates from each user's device.
   ※ Even if they remain, they will not affect the device, but they cannot be used continuously.
6. Global administrator privileges for both Microsoft 365 and Access Control are required for periodic sync and deleting the federation.

Table of Contents

• Deleting the Federation
• Deleting the Sync Service
• Microsoft 365 Password Reset
• Deleting Enterprise Applications
• Deleting Other SSO Services

Procedure

Deleting the Federation

1. Access the [System] - [Edit Connected Service] from the Access Control Administration.

   

2. Select the row where the "Display Name" is [Microsoft] and the "Type" is [Microsoft] from the service summary.
   ※ If the item does not exist, proceed to Disconnecting the Federation (Powershell).

   

3. Select [Federated Domains] - [Manage Domains].

   

4. If the [Required Permissions] screen of Microsoft 365 is displayed, check [Consent on behalf of your organization] and select [Accept].
   ※ If verification is completed, proceed to the next screen by selecting users.
5. In the "Domain Management" screen, check the status of the domain you want to delete the federation for and perform the corresponding procedure.
   • [Federated] (Legacy): Please perform from step 6 onwards.

   • [Federated]: Please perform from step 8 onwards.

     

6. Click [Upgrade] for the target domain.

   

7. Check the content on the confirmation screen and click [Upgrade Domain].
   Confirm that the status changes to [Federated].

   

8. Click [Remove] for the target domain.

   

9. Check the content on the confirmation screen and click [Delete Domain].
   Confirm that the status changes to [Not Federated].

   

10. If there are multiple domains you want to delete the federation for, repeat this procedure.
11. Once the disconnection of all domains is complete, proceed to Deleting the Sync Service.

Disconnecting the Federation (Powershell)

※ If you have already executed federation with another IdP service, do not perform this procedure.

1. To confirm that the Microsoft Graph PowerShell SDK module is installed in PowerShell, confirm that the following procedure is completed.
   Installing the Microsoft Graph PowerShell SDK

2. Launch PowerShell and execute the following command.

   Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop

3. A login dialog will be displayed, so log in with an account that has global administrator privileges for Microsoft 365.

4. Execute the following command to confirm the domain information.
   Confirm that the "AuthenticationType" of the domain in use is "Federated".

   Get-MgDomain

   

5. Execute the following command to disconnect the federation.
   ※ Immediately after disconnection, it may take time for the settings to be reflected within Microsoft 365, resulting in single sign-on behavior.

   Update-MgDomain -DomainId [Your Domain] -AuthenticationType "Managed"
   

6. Execute the following command to confirm the domain information.
   Confirm that the "AuthenticationType" of the domain disconnected in step 5 is "Managed".

   Get-MgDomain

   

7. Execute the following command to disconnect from Microsoft Graph.

   Disconnect-MgGraph

8. Proceed to Deleting the Sync Service.

Deleting the Sync Service

If performing periodic sync between Access Control and Microsoft 365

1. Stop the periodic sync between Access Control and Microsoft 365.
For details, please refer to the article below.
Procedure to Stop Periodic Sync with Access Control Microsoft 365

If synchronizing between Active Directory and Access Control

Perform the following steps on the Windows server where the HDE One sync service is installed.

1. Uninstall HDE One Directory Sync
From the [Control Panel] - [Programs and Features] summary, uninstall the following program
HDE One Directory Sync x.x.x

2. Delete HDE One Directory Sync related files
Manually delete all files in the "C:\Program Files\HDE One Directory Sync" folder and directly under that folder.

3. Delete files under the HDEOne folder
If the "C:\HDEOne" folder exists, manually delete that folder and all files directly under that folder.

Microsoft 365 Password Reset

The method for bulk password reset in Microsoft 365 is shown below.
※ If password synchronization is being performed between Active Directory >> Microsoft 365, this task is not necessary.
※ Each command must be executed in a single line.

To perform this procedure, the Microsoft Graph PowerShell SDK module must be installed in PowerShell.
Please ensure the following content is completed in advance.
Installation of Microsoft Graph PowerShell SDK

1. Create a "temp" folder directly under the C drive
On the working PC, create a "temp" folder directly under the C drive.

2. Log in with Microsoft Graph Powershell
Execute the following command in PowerShell.

Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop

※ A login dialog will be displayed, so please continue the login process with an account that has global administrator privileges for Microsoft 365.

3. Obtain a summary of users
Execute the following command to output a summary of users.
※ Outputs users whose User Principal Name is not "*.onmicrosoft.com".

Get-MgUser -All | where { -not ($_.userprincipalname-like"*.onmicrosoft.com")} | select UserPrincipalName | Export-Csv c:\temp\volunteers.csv -NoTypeInformation

4. Manually delete account information such as meeting rooms from the CSV list of users
Manually delete account information such as meeting rooms that are not subject to password changes from the CSV file (volunteers.csv) located in the "c:\temp" folder.

5. Bulk password change
Execute the following commands one line at a time to change passwords in bulk.

$params = @{
PasswordProfile = @{
ForceChangePasswordNextSignIn = $True
Password = "XXXXXXXX"
}
}
Import-Csv c:\temp\volunteers.csv | where{Get-MgUser -UserID $_.UserPrincipalName; Update-MgUser -UserID $_.UserPrincipalName -BodyParameter $params } 

※ Each user will need to change their password after logging in to Microsoft 365.
※ All users will have the same password.
Change the "XXXXXXXX" in the above command to the initial login password string.

▼ Password requirements
Azure AD Password Policy

※ Depending on various client applications such as Outlook, the authentication dialog may not be displayed immediately due to the authentication cache retention specifications of Microsoft 365.

6. Disconnect from Microsoft Graph
Execute the following command to disconnect from Microsoft Graph.

Disconnect-MgGraph

※ With the [Connect-MgGraph] command, the previously authenticated credentials are retained, so you will not be prompted to sign in the next time you start. Therefore, to ensure sign-out, it is necessary to execute [Disconnect-MgGraph].

Delete Enterprise Applications

1. Access the Microsoft 365 Admin Center.

2. Click [ID] from the left menu to access the Microsoft Entra Admin Center.

3. Open [Entra ID] - [Enterprise Applications].

4. Click "HENNGE Access Control Federation Configuration" from the list of applications displayed on the right.

5. Click [Manage] - [Properties] from the left menu.

6. Select [Delete] at the top of the Properties screen, then click [Yes].

Disconnect Other SSO Services

If there are services (other than Microsoft 365) that are single sign-on (SSO) with Access Control, please perform the SSO disconnection work.
Check the "Edit Connected Service" in the Access Control Administration.
Also, the SSO disconnection work needs to be performed at the connected service provider (SP). Please check with each SP's support desk for detailed disconnection methods.

The setup is complete.
Please contact HENNGE One Technical Support once the work is completed.